DDoS: Layer 7?



Cloudflare is not made for protect from layer7 at all.

Use a service like sucuri.

Cloudflare paid plan dont protect anything at all.


believe you need Cloudflare Business or Enterprise for Layer 7 https://www.cloudflare.com/plans-b/ ?

but guess that ain’t perfect too

Layer 7 Attacks
A new breed of attacks target Layer 7 of the OSI model, the “application” layer. These attacks focus on specific characteristics of web applications that create bottlenecks. For example, the so-called Slow Read attack sends packets slowly across multiple connections. Because Apache opens a new thread for each connection, and since connections are maintained as long as there is traffic being sent, an attacker can overwhelm a web server by exhausting its thread pool relatively quickly.

Cloudflare has protections in place against many of these attacks, and in real world experiences we generally reduce HTTP attack traffic by 90%. For most attacks, and for most of our customers, this is enough to keep them online. However, the 10% of traffic that does get through traditional protections can still be overwhelming to customers with limited resources or in the face of very large attacks. In this case, Cloudflare offers a security setting called “I’m Under Attack” mode (IUAM).

IUAM is a security level you can set for your site when you’re under attack. When IUAM is turned on, Cloudflare will add an additional layer of protections to stop malicious HTTP traffic from being passed to your server. While a number of additional checks are performed in the background, an interstitial page is presented to your site’s visitors for 5 seconds while the checks are completed. Think of it as a challenge where the tests are automatic and visitors never need to fill in a CAPTCHA.


yup part is important too having your backend origin’s web stack performance optimised as best you can

So for commonly attacked url paths you can deploy rate limiting in general i.e. for my wordpress auto installer i wrote i automatically add rate limiting and connecting limiting at nginx level and set wp-login.php to just 1 request/s. There’s no reason a legit visitor on same IP would want to request the login page more than once per second :slight_smile:

for other url paths, you may need to first load stress test how much you can handle on backend first without cloudflare in front and those numbers would be your max acceptable request rate you can handle. Then set it to a percentage of the max. So for instance of /online.php request to a forum etc is heavily hit and you stress tested your server to be able to handle 100 requests/s to /online.php, you may want to limit to 50-60 requests/s and bursts to 80-100 requests/s on /online.php.


Hi there and you have a few options to help stop the attack

  1. Enable I’m under attack mode (stops most but not all botnets)
  2. Buy Cloudflare’s rate limiting (Billed per 10,000 allowed requests) OR business plan ($200/month)
  3. CAPTCHAing related countries (rarely works)

For small attacks (below 100k r/s), if you have a server with root access, you could setup nginx’s rate limits, log the errors, then call the Cloudflare API to automatically ban IP Addresses that are repeat infringers of the limit. This takes work to setup and get the perfect limits for your website.


Afair fail2ban has Cloudflare integration.


I’m aware. It still takes time to find the perfect limits (to avoid accidental bans, 50r/s 5000r/m, works for me)


To echo what @eva2000 and @lunorian mentioned, I’m Under Attack Mode (IUAM) can be very effective against L7 attacks and is available on all plan levels (but has to be turned on manually). Rate Limiting is also effective, with the added benefit that it responds automatically (but at an added cost).

btw…this is exactly the kind of discussion we hoped people would find here. Thanks to @services for raising the question, and to @komarEX for having the response with the most likes (so far). You two will be the first recipients of my utterly arbitrary “misc participation” reward of a Cloudflare T-Shirt. I’ll message you for size and address info. If anyone else wants a shirt, don’t worry. I anticipate that there will be many opportunities.


The Cloudflare API and Custom Nginx Modules provides a lot of opportunity for customized blocking. Fail2ban is also helpful.

If you can afford it Cloudflare Business does the custom blocking for you, if not do what you can with the API, of course you’ll need some coding knowledge to do so. I enjoy it but I’ll probably buy Cloudflare Business late 2017.


Cloudflare UAM can be bypass EASLY with a php script or any simple DDOS botnet that have a JS bypass.

UAM is not a real solution for protection !


It’s true you can get the cookie and pass with an attack script easily, but it’s blocks some of the most common scripts out there. When combined with rate limits it solves a lot of issues :slight_smile:


I would use rate limiting as we have had great usage from using this.


Again. Rate limite only helps if the attacks come from ONE single IP…


maybe provide us with as sample of your access logs via pastebin or gist.github.com to see if there’s a pattern to the madness ?

are they hitting static assets js/html/css or dynamic ones like php based ?

how many requests/s is your server receiving ?

you can use ngxtop https://github.com/lebinh/ngxtop to generate reports parsing your access logs etc

i.e. to parse access log group by http user agent

ngxtop -l /path/to/access.log --no-follow --group-by http_user_agent

or group by --group-by http_referer or --group-by remote_addr

or combine them

ngxtop -l /path/to/access.log --no-follow --group-by http_user_agent,remote_addr


Yes right you are :slight_smile:



I understand the concerns of @services concerning the Layer 7 attacks, I am in the world of video games and I manage the infrastructure of a Minecraft server with several thousand players each day, we receive on average 3 attacks layer 7 per week but with the help of a friend we were able to put a dull to Layer 7 attacks with Fail2ban, most of the layer 7 attacks used various IP addresses to attack stronger and passed the limitations but with a good configuration with Fail2ban you can easily block HTTP Flood attacks to your server.

Here is a tutorial in French explaining the effective way of blocking an HTTP Flood attack with nginx and fail2ban.